- ####################
- # Purge/Flush #
- ####################
- flush ruleset
- #define admin = { 12.34.56.78/29, 10.11.12.0/8, 172.16.1.0/16 }
- #define google_dns = { 8.8.8.8, 8.8.4.4 }
- #define mailout = { 127.0.0.1 }
- #########################
- # Incoming IPv4-Traffic #
- #########################
- table ip filter {
- chain input {
- type filter hook input priority 0; policy drop;
- # drop all bad actors before we do rel/est
- ip saddr @blackhole drop
- # Allow packets to established/related connections
- ct state established,related accept
- # Drop invalid connections
- ct state invalid drop
- # Allow loopback interface
- iif lo accept
- # if the connection is NEW and is not SYN then drop
- tcp flags != syn ct state new log prefix "FIRST PACKET IS NOT SYN" drop
- # new and sending FIN the connection? DROP!
- tcp flags & (fin|syn) == (fin|syn) log prefix "SCANNER1" drop
- # i don't think we've met but you're sending a reset?
- tcp flags & (syn|rst) == (syn|rst) log prefix "SCANNER2" drop
- # 0 attack?
- tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) log prefix "SCANNER3" drop
- # xmas attack. lights up everything
- tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) log prefix "SCANNER4" drop
- # if the ctstate is invalid
- ct state invalid log flags all prefix "Invalid conntrack state: " counter drop
- # Allow ICMPv4: Ping requests | Error messages | Router selection messages
- #ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
- # icmp for ipv4 connections
- ip protocol icmp icmp type {
- destination-unreachable, router-advertisement,
- time-exceeded, parameter-problem
- } limit rate 100/second accept
- # otherwise we drop, drop, drop
- #
- # when you are troubleshooting uncomment the next line.
- # log prefix "Incoming packet dropped: "
- # Reject other packets
- # ip protocol tcp reject with tcp reset
- }
- #########################
- # Forward IPv4-Traffic #
- #########################
- chain forward {
- type filter hook forward priority 0; policy drop;
- }
- #########################
- # Outgoing IPv4-Traffic #
- #########################
- chain output {
- type filter hook output priority 0; policy accept;
- # Allow loopback interface
- oif lo accept
- # allow DNS request if they are not to Google's DNS
- # i think this would qualify as torture, but I
- # have never claimed this set to be technically
- # or morraly sound.
- #udp dport 53 ip daddr 192.168.200.1 accept
- #tcp dport 53 ip daddr 192.168.200.1 accept
- #udp dport 853 ip daddr 192.168.200.1 accept
- #tcp dport 853 ip daddr 192.168.200.1 accept
- # allow dhcp
- udp dport 67 accept
- # youtube needs this for tracking where you are in the video... weird.
- #udp dport 443 accept
- # mail, really? are you malwa... -uhm- mailware!
- #tcp dport {25} ip daddr != $mailout log prefix "SPAMALERT!" drop
- # Deny Port 80
- tcp dport {80} drop
- # allow web requests
- tcp dport { https } ct state new accept
- # limit outgoing icmp type 8 traffic
- ip protocol icmp icmp type echo-request limit rate 1/second log accept
- # log packet before it is dropped
- #log flags all prefix "Outgoing packet dropped: "
- }
- set blackhole {
- # blackhole ipset where we set the type of element as ipv4
- type ipv4_addr
- elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251 }
- # we will set a timer on the element after which it is cleared
- #flags timeout
- # the value of the timer
- #timeout 1d
- }
- }
- ####################
- # IPv6 #
- ####################
- table ip6 filter {
- chain input {
- type filter hook input priority 0; policy drop;
- }
- chain forward {
- type filter hook forward priority 0; policy drop;
- }
- chain output {
- type filter hook output priority 0; policy drop;
- }
- }